A lot of people say threat intelligence (TI) tastes good, but few understand how to cook it. There are even fewer of those who know which processes to engage for TI to work and bring profit. Moreover, a negligible number of people know how to choose a feed provider, where to check a false positives indicator, and whether it’s worthwhile to block a domain that your colleague has sent you over WhatsApp.
We had two commercial APT subscriptions, ten information exchanges, about a dozen free feeds, and an extensive list of TOR exit nodes. We also used a couple of powerful reversers, master Powershell scripts, a Loki scanner and a paid VirusTotal subscription. Not that a security incident response center won’t work without all of these, but if you are up to catching complex attacks you have to go the whole hog.
What I was particularly concerned with was the potential automation of checking for indicators of compromise (IOCs). There’s nothing as immoral as artificial intelligence replacing a human in an activity that requires thinking. However, I realized that my company would encounter that challenge sooner or later as the number of our customers was growing.
For several years of permanent TI activity, I have stepped on a bunch of rakes and I’d like to provide some tips that will help newbies avoid common mistakes.
Tip 1. Don’t set too many hopes on catching stuff by hashes: most malware is polymorphic these days
Threat intelligence data comes in different formats and manifestations. It may include IP addresses of botnet Command and Control centers, email addresses involved in phishing campaigns, and articles on evasion techniques that APT groups are about to start leveraging. Long story short, these can be different things.
In order to sort this whole mess out, David Bianco suggested using what’s called the Pyramid of Pain. It describes a correlation between different indicators that you use to detect an attacker and the amount of “pain” you will cause the attacker if you identify a specific IOC.
For instance, if you know the MD5 hash of the malicious file, it can be easily and accurately detected. However, it won’t cause much pain to the attacker because adding only 1 bit…